Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102  
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 3-5, 8-10, 12, and 15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20110271118, Mahmoud Abd Alla et al (“Mahmoud”).
Regarding claim 1, A device for authenticating a password to be authenticated against a stored password comprising a first set of characters, the device comprising: one or more hardware processors; a memory, storing instructions, which when executed, cause the one or more hardware processors to perform operations comprising ([0021] The system aggregates the user password characters to create the actual user password (block 214), which is also a string of characters. The system then compares the actual user password submitted by the user with a user password stored by the system (block 216), such as the password entered by the user during the user registration process. If the password is valid, the 
Regarding claim 3, Mahmoud teaches further comprising operations of: receiving a third set of characters during a second authentication attempt; and causing access to be granted to the access-controlled resource based on determining that the third set of characters includes: a second subset of characters that match a portion of the first set of characters corresponding to the stored password, the 
Regarding claim 4, Mahmoud further comprising operations of: receiving a third set of characters during a second authentication attempt; and causing access to be granted to the access-controlled resource based on determining that the third set of characters includes: a second subset of characters that match a portion of the first set of characters corresponding to the stored password, the portion of the first set of characters having fewer characters than the first set of characters and in a same order; and the minimum number of second additional characters interspersed with the first subset of characters, and wherein the second additional characters differ from the additional characters (To ensure security of the data, the user is not prompted in the login screen to enter the additional characters (variable characters, terminator characters, and safeguard data). It is the user's responsibility 
Regarding claim 5, Mahmoud teaches wherein the operations of causing access to be granted to the access-controlled resource includes determining that the portion of the first set of characters includes a minimum number of characters corresponding to the stored password (The system aggregates the user password characters to create the actual user password (block 214), which is also a string of characters. The system then compares the actual user password submitted by the user with a user password stored by the system (block 216), such as the password entered by the user during the user registration process, [0021]).
Regarding claim 8, Mahmoud teaches wherein the operations of causing access to be granted to the access-controlled resource includes determining that a ratio of a distance of the first subset of characters to the second set of characters compared to a distance of a second subset of characters to the second set of characters exceeds a minimum ratio threshold (This string of characters includes the actual user password (1452) embedded with many other characters to conceal the actual password from unauthorized individuals or systems. The string of characters in box 300 is analyzed to find the four terminator characters (3676). Box 302 highlights the position of the four terminator characters. These terminator characters are identified by locating the first terminator character (3), followed by the second terminator character (6), then the third terminator character (7), and the fourth terminator character (6). The positions of the four terminator characters are shown by enlarging the specific 
Regarding claim 9, wherein the operations of determining that the second set of characters includes the first subset of characters includes matching a plurality of vectors comprising permutations of the received second set of characters against the first set of characters.
Claims 10, 12-14, 17-18 are method claims that are substantially equivalent to device claims 1-9.  Therefore claims 10, 12-14, 17-18 are rejected by a similar rationale.
Claim 19 is rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20110271118, Mahmoud Abd Alla et al (“Mahmoud”).
Regarding claim 19, a device for authenticating a password to be authenticated against a stored password comprising a first set of characters, the device comprising: ([0021-0023] The system aggregates the user password characters to create the actual user password (block 214), which is also a string of characters. The system then compares the actual user password submitted by the user with a user password stored by the system (block 216), such as the password entered by the user during the user registration process. If the password is valid, the user is allowed access to the requested resource (block 220), such as a software application or web site. If the password is not valid, the user is denied access to the requested resource (block 222). If the user is denied access to the requested resource, the procedure may generate and communicate a message to the user indicating the denial of access): receiving a second set of characters to be authenticated during an authentication attempt; and causing access to be granted to an access-controlled resource based on: determining that no subset of the second set of characters matches the first set of characters corresponding to the stored password (The user then enters a string of characters (also referred to as a "modified password" or a "noisy password") that includes an actual user password as well as variable characters and terminator characters (block .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 2, 7, 11 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Mahmoud as applied to claim 1 above, and further in view of Kolman et al. US 9722996 (“Kolman”).
Regarding claim 2, Mahmoud does not explicitly recite wherein the operations further comprise: receiving a third set of characters to be authenticated during a second authentication attempt; and rejecting access to the access-controlled resource based on a determination that a subset of the third set of characters matches the first set of characters corresponding to the stored password in entirety.
Kolman teaches operations further comprise: receiving a third set of characters to be authenticated during a second authentication attempt; and rejecting access to the access-controlled resource based on a determination that a subset of the third set of characters matches the first set of characters corresponding to the stored password in entirety (For example, in the case of a value of Similarity Threshold 142 indicating that 80 percent of the characters in User Entered Password 
Mahmoud and Kolman are analogous to password-based authentication using per-request risk scores. Previous authentication technologies that rely on passwords have exhibited significant shortcomings. While stronger passwords are known to provide better security, they are relatively long and complicated, and accordingly more difficult for users to memorize.  Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Mahmoud with Kolman for the purpose of addressing the above described and other shortcomings of previous technologies, a risk score is generated for the authentication request based on the risk attributes and the user identifier associated with the authentication request, resulting in fewer chances of fraud, see Kolman col. 1 lines 30-67, col 2 lines 0-20).
Regarding claim 7, Mahmoud does not explicitly teach wherein the operations of causing access to be granted to the access-controlled resource includes determining that the first subset of characters are a distance from the second set of characters that is less than the maximum distance threshold and greater than a zero distance threshold.
Kolman teaches wherein the operations of causing access to be granted to the access-controlled resource includes determining that the first subset of characters are a distance from the second set of characters that is less than the maximum distance threshold and greater than a zero distance threshold (The value of Risk Score 127 may, for example, be a probabilistic measure, such as a value between zero and one representing a probability that the actual user is not the user associated with the User Identifier 125, but is instead an imposter, with higher values indicating a higher risk. The Risk Engine 125 accordingly generates relatively probability values in Risk Score 217 for authentication requests having a higher risk of fraud, i.e. requests in which Risk Attributes 132 indicate that it is relatively more likely that the actual user presenting the user identifier is not the legitimate user identified by User Identifier 144, see Kolman, col. 7 lines 50-67, lines 8 0-19).
Mahmoud and Kolman are analogous to password-based authentication using per-request risk scores. Previous authentication technologies that rely on passwords have exhibited significant shortcomings. While stronger passwords are known to provide better security, they are relatively long and complicated, and accordingly more difficult for users to memorize.  Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the invention of Mahmoud with Kolman for the purpose of addressing the above described and other shortcomings of previous technologies, a risk score is generated for the authentication request based on the risk attributes and the user identifier associated with the authentication request, resulting in fewer chances of fraud, see Kolman col. 1 lines 30-67, col 2 lines 0-20).
Claims 11 and 16 are method claims that are substantially equivalent to device claims 2 and 7.  Therefore claims 11 and 16 are rejected by a similar rationale.
Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Mahmoud as applied to claim 1, and further in view of Lee US 20030172281 (“Lee”).
Regarding claim 6, Mahmoud does not explicitly teach wherein the operations of determining that the second set of characters includes the first subset of characters includes determining a match between portions of the second set of characters and the first subset of characters based on a distance function and a maximum distance threshold.
Lee teaches wherein the operations of determining that the second set of characters includes the first subset of characters includes determining a match between portions of the second set of characters and the first subset of characters based on a distance function and a maximum distance threshold (The input password as mentioned above includes the "actual password" and the "fake password." In more detail, first of all, when the user inputs a password through a key input unit 104, the CPU 100, supposing that a 16-digit password is inputted (S200 through S202), examines whether the predetermined actual passwords are all included in the input password, regardless of the characters' order (S204). At this time, the examination concerning whether all actual passwords are included in the input password regardless of the characters' order is accomplished by comparing the characters of the input password to those of the actual password one by one, [0022-0024]).
Mahmoud and Lee are analogous to user authentication method using password. Thus it would have been obvious to one of ordinary skill in the art, before the effective filing date of the invention to modify Mahmoud with Lee for the purpose of having a user authentication method in which the user can remember the actual password very easily, and yet get the same effect with changing the password (see Lee abstract).
Claim 15 is a method claim that is substantially equivalent to device claim 6.  Therefore claim 15 is rejected by a similar rationale.
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Mahmoud as applied to claim 19 above, and further in view of Kolman et al. US 9722996 (“Kolman”).
Regarding claim 20, Mahmoud does not explicitly teach wherein the device further comprises: means for receiving a third set of characters to be authenticated during a second authentication attempt; and means for rejecting access to the access-controlled resource based on a determination that a subset of the third set of characters matches the first set of characters corresponding to the stored password in entirety.
Kolman teaches operations further comprise: receiving a third set of characters to be authenticated during a second authentication attempt; and rejecting access to the access-controlled resource based on a determination that a subset of the third set of characters matches the first set of characters corresponding to the stored password in entirety (For example, in the case of a value of Similarity Threshold 142 indicating that 80 percent of the characters in User Entered Password Characters 148 must match the corresponding characters in Partial Password 140, and where Partial Password 140 has a length of 5, then only if 4 or more characters in User Entered Password Characters 148 match the corresponding characters in Partial Password 140 would Partial Password Comparison Logic 130 determine that User Entered Password Characters 148 match Partial Password 140. Other similarity metrics may be used as alternatives to a percentage of matching characters. For example, in an alternative embodiment, Similarity Threshold 142 may be a maximum edit distance (e.g. Levenshtein distance) that may exist between User Entered Password Characters 148 and Partial Password 140 in order for there to be a match. In the event that Partial Password Comparison Logic 130 finds that the User Entered Password Characters 148 do not match Partial Password 140, the disclosed system may further be embodied to compare increasing numbers of user-entered password characters with increasingly large partial password, see Kolman, Col. 10 lines 20-40).
Mahmoud and Kolman are analogous to password-based authentication using per-request risk scores. Previous authentication technologies that rely on passwords have exhibited significant shortcomings. While stronger passwords are known to provide better security, they are relatively long 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mirza Israr Javed whose telephone number is (571)270-0332.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Lynn Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437